From patchwork Wed May 13 09:44:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226033 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82CB7C2D0FA for ; Wed, 13 May 2020 09:46:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 60D9123126 for ; Wed, 13 May 2020 09:46:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363179; bh=iS7eAURgS/wF/PWdxHp0Cl49YaiEufuniPsH1gRlEeM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=JIHCz+RvPVZfjYpeBunAQfh9VEoOflLlpyNWQUgBBspF09N0QxMQuooQGZysaVJwy L1gWkTA2TwoBlYVb6OSrPxhFtR40qyZFkwKzK2Wh2tbI9iE+V3cKX8lPpPHE/L7AuF 1Cw3qilOFVY+ocDyYnvmZNb93PGCRwKFkoC5nDR8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732595AbgEMJqS (ORCPT ); Wed, 13 May 2020 05:46:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:43636 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732603AbgEMJqS (ORCPT ); Wed, 13 May 2020 05:46:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0130220753; Wed, 13 May 2020 09:46:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363176; bh=iS7eAURgS/wF/PWdxHp0Cl49YaiEufuniPsH1gRlEeM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BhpS/NryXrl7/Rlp7r/0xJoCF3moDFTAWzJtqiBKi0cTamoFKVdemQ3Zaom9Q8BKk qEcm7FSOoy7+jM7J8M7jQ/cqnnHU5b0uxGt1iQf1/siG/wqlMjbTdTiyumJG5Ktykn RBP8fVCsbJ3SN2rmy6TykSA8sRf9dXROGmzpayKQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicolas Pitre , syzbot+0bfda3ade1ee9288a1be@syzkaller.appspotmail.com, Sam Ravnborg , Sasha Levin Subject: [PATCH 4.19 03/48] vt: fix unicode console freeing with a common interface Date: Wed, 13 May 2020 11:44:29 +0200 Message-Id: <20200513094352.389302207@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nicolas Pitre [ Upstream commit 57d38f26d81e4275748b69372f31df545dcd9b71 ] By directly using kfree() in different places we risk missing one if it is switched to using vfree(), especially if the corresponding vmalloc() is hidden away within a common abstraction. Oh wait, that's exactly what happened here. So let's fix this by creating a common abstraction for the free case as well. Signed-off-by: Nicolas Pitre Reported-by: syzbot+0bfda3ade1ee9288a1be@syzkaller.appspotmail.com Fixes: 9a98e7a80f95 ("vt: don't use kmalloc() for the unicode screen buffer") Cc: Reviewed-by: Sam Ravnborg Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.2005021043110.2671@knanqh.ubzr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/tty/vt/vt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index ca8c6ddc1ca8c..5c7a968a5ea67 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -365,9 +365,14 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows) return uniscr; } +static void vc_uniscr_free(struct uni_screen *uniscr) +{ + vfree(uniscr); +} + static void vc_uniscr_set(struct vc_data *vc, struct uni_screen *new_uniscr) { - vfree(vc->vc_uni_screen); + vc_uniscr_free(vc->vc_uni_screen); vc->vc_uni_screen = new_uniscr; } @@ -1233,7 +1238,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, err = resize_screen(vc, new_cols, new_rows, user); if (err) { kfree(newscreen); - kfree(new_uniscr); + vc_uniscr_free(new_uniscr); return err; } From patchwork Wed May 13 09:44:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225911 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F6C7CA90AF for ; Wed, 13 May 2020 10:05:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 33264206D6 for ; Wed, 13 May 2020 10:05:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364334; bh=HokuufDRAM7oWalWhPRiWqAim20UNg+s0sNa4Ozzl/I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=1ru9G++4gkgwb0gosW4jJK/gfil9tViFBXzhRR6AkpdoXQfd62aY3jVrQQstqcnF5 iozErcZYLg7DfiaK3shhTTBP9el/noo39d8D7/6mU/RF2aHb0A00K0E5qTayta7nuK c3+T0tQhwUe5h/t3q99YGRHYSA/qJ9HFZrGwawEY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732615AbgEMJqW (ORCPT ); Wed, 13 May 2020 05:46:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:43692 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732608AbgEMJqT (ORCPT ); Wed, 13 May 2020 05:46:19 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 69C7720769; Wed, 13 May 2020 09:46:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363178; bh=HokuufDRAM7oWalWhPRiWqAim20UNg+s0sNa4Ozzl/I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PvGnNgTT8XTcPaNcYGc03HXhaiWsPJi6AjWXxk1fWySbSUPCLbYgKjbPt+y23sixl NYncQCJRTzTkTBkMTOAqQylsqugO4bpX6vKrWMDCmdCNojtjAADNVxf6aauJeMWtiR GiKDi6UGpNhyhYArXoHIOHFKMoJlWK7wVMnaDG1c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julia Lawall , "David S. Miller" Subject: [PATCH 4.19 04/48] dp83640: reverse arguments to list_add_tail Date: Wed, 13 May 2020 11:44:30 +0200 Message-Id: <20200513094352.744242697@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Julia Lawall [ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ] In this code, it appears that phyter_clocks is a list head, based on the previous list_for_each, and that clock->list is intended to be a list element, given that it has just been initialized in dp83640_clock_init. Accordingly, switch the arguments to list_add_tail, which takes the list head as the second argument. Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") Signed-off-by: Julia Lawall Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/phy/dp83640.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/phy/dp83640.c +++ b/drivers/net/phy/dp83640.c @@ -1114,7 +1114,7 @@ static struct dp83640_clock *dp83640_clo goto out; } dp83640_clock_init(clock, bus); - list_add_tail(&phyter_clocks, &clock->list); + list_add_tail(&clock->list, &phyter_clocks); out: mutex_unlock(&phyter_clocks_lock); From patchwork Wed May 13 09:44:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225912 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 570B2C2D0FA for ; Wed, 13 May 2020 10:05:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3089A20575 for ; Wed, 13 May 2020 10:05:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364331; bh=LwGn39lj7UslFGfZpnJKr1mv5ArhCasq226wWa4aPUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=zwwhsuh2qmyhp7TiwUJx7+gcxOtJYitXcEecQ6Aa+bUgls984iJHRR8ndpr5Qfs7m Jse0QsUr4v9SS4ff5chV+FuW2FUHZgssJlU1caV0yciI0Jj1iHJbblGTTh2oEPrgy8 fTNQueegKChsCiJaVdUZl2m7raKQmMwMFx+l17XI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727812AbgEMJqa (ORCPT ); Wed, 13 May 2020 05:46:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:43854 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732636AbgEMJq1 (ORCPT ); Wed, 13 May 2020 05:46:27 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D17C623128; Wed, 13 May 2020 09:46:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363186; bh=LwGn39lj7UslFGfZpnJKr1mv5ArhCasq226wWa4aPUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EO/EVrTQDyAaDDhl0YWzXDaT+pf44wwhVQw1OMKrLhnRkBoKOgmYundfWpc8V/uax bEGaDpPkoiNndZ6/kKPGw4fayQBjG34EfNgsLxydoumj2ga4EDbPxlgVNrhiYraQCZ 4yypOhJIgMWLUFNOPO4JUO5NoW5jMqm/VH08CikI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gunthorpe , Tariq Toukan , "David S. Miller" Subject: [PATCH 4.19 07/48] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Date: Wed, 13 May 2020 11:44:33 +0200 Message-Id: <20200513094353.857327137@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Tariq Toukan [ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ] When ENOSPC is set the idx is still valid and gets set to the global MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that ENOSPC is impossible from mlx4_cmd_imm() and gives this warning: drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be used uninitialized in this function [-Wmaybe-uninitialized] 2552 | priv->def_counter[port] = idx; Also, when ENOSPC is returned mlx4_allocate_default_counters should not fail. Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port") Signed-off-by: Jason Gunthorpe Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/net/ethernet/mellanox/mlx4/main.c +++ b/drivers/net/ethernet/mellanox/mlx4/main.c @@ -2539,6 +2539,7 @@ static int mlx4_allocate_default_counter if (!err || err == -ENOSPC) { priv->def_counter[port] = idx; + err = 0; } else if (err == -ENOENT) { err = 0; continue; @@ -2589,7 +2590,8 @@ int mlx4_counter_alloc(struct mlx4_dev * MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED); if (!err) *idx = get_param_l(&out_param); - + if (WARN_ON(err == -ENOSPC)) + err = -EINVAL; return err; } return __mlx4_counter_alloc(dev, idx); From patchwork Wed May 13 09:44:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226032 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F918CA90AF for ; Wed, 13 May 2020 09:46:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7C2B020769 for ; Wed, 13 May 2020 09:46:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363192; bh=4MFURn699aH2rSYMG6kW1QgGR/t00LzkOG1i+nuVH1o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=vEoGH+HZxFg1O+GyXYH7Jxs+zcdZDX564yNenv9m3TRhnGIqPVJ7zmx7ZrjrhYBPx s0Ic4M0yGjzTsTU/V1euijwoIi5WkUaLoBKqjg64KfhK79T+RFj8Rq5A/UncBAypr8 X2LzRT3fz2ypZ6/6+z4OSSz43xvuFiPEcdcHXxmI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732646AbgEMJqb (ORCPT ); Wed, 13 May 2020 05:46:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:43920 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732622AbgEMJq3 (ORCPT ); Wed, 13 May 2020 05:46:29 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4F0E12492C; Wed, 13 May 2020 09:46:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363188; bh=4MFURn699aH2rSYMG6kW1QgGR/t00LzkOG1i+nuVH1o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GuejD/ehuDlgRJ428/aZTOGDnEYSVGma18alKNEIEd6YAkzV+YXlln8BJq3BEVrJ/ ZcQo8VDBf2eImpEov2h+/G1n46zQFyLYCpBbkFTHRN9KsAUaT+wKaI42WsZ3AC1xiX rDwpJ39Wxz+ez/Kazq8ozuCla4POlas+7WtALBPw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.19 08/48] net_sched: sch_skbprio: add message validation to skbprio_change() Date: Wed, 13 May 2020 11:44:34 +0200 Message-Id: <20200513094354.050443366@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet [ Upstream commit 2761121af87de45951989a0adada917837d8fa82 ] Do not assume the attribute has the right size. Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/sch_skbprio.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/sched/sch_skbprio.c +++ b/net/sched/sch_skbprio.c @@ -173,6 +173,9 @@ static int skbprio_change(struct Qdisc * { struct tc_skbprio_qopt *ctl = nla_data(opt); + if (opt->nla_len != nla_attr_size(sizeof(*ctl))) + return -EINVAL; + sch->limit = ctl->limit; return 0; } From patchwork Wed May 13 09:44:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226035 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C39A4C2D0F9 for ; Wed, 13 May 2020 09:46:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9BCEE20740 for ; Wed, 13 May 2020 09:46:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363164; bh=pUIO6TEaK9n0rE5E5dO/hj2zx7EL6SpRabCZcLs9Ka8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=eL5vUB7ftxqgIR9cnLjSDRtScFYB3rOMBOg5sJrEwIrPfPcxda/+bQJ1vRy3vE7rY Tlux6vlZf35pqT3Sswx5bliR2S2iWFg5TZ0Yn6FmP56VTM82owofYmmP9g4xEqr+rb +2pgA+eKmxgFt/USrGYClCA4BmuOdEtc9rXEe9Eg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727120AbgEMJqA (ORCPT ); Wed, 13 May 2020 05:46:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:43164 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730661AbgEMJp7 (ORCPT ); Wed, 13 May 2020 05:45:59 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 909E4206F5; Wed, 13 May 2020 09:45:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363159; bh=pUIO6TEaK9n0rE5E5dO/hj2zx7EL6SpRabCZcLs9Ka8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ScC8bFUwz3Csx6LjTaiHvogbm2hIToL0WW77QMzEaL3ixCr7j8jvHnuh1LRKWQg0B F6nRcrxqISXzm5UyVUTmhIGmdhJl8w6TFZII+cC6R5dRxLou8sHlKrYBWaIeh1Bpuh x9sXdh+bvVIKh1KXSFPOQTunnfLPuSxfZ6t9KWWM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Cong Wang , "David S. Miller" Subject: [PATCH 4.19 10/48] sch_choke: avoid potential panic in choke_reset() Date: Wed, 13 May 2020 11:44:36 +0200 Message-Id: <20200513094354.391305028@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet [ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ] If choke_init() could not allocate q->tab, we would crash later in choke_reset(). BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline] BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326 Write of size 8 at addr 0000000000000000 by task syz-executor822/7022 CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515 kasan_report+0x33/0x50 mm/kasan/common.c:625 check_memory_region_inline mm/kasan/generic.c:187 [inline] check_memory_region+0x141/0x190 mm/kasan/generic.c:193 memset+0x20/0x40 mm/kasan/common.c:85 memset include/linux/string.h:366 [inline] choke_reset+0x208/0x340 net/sched/sch_choke.c:326 qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910 dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138 netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline] dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195 dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233 qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051 tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 ___sys_sendmsg+0x100/0x170 net/socket.c:2416 __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/sch_choke.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/sched/sch_choke.c +++ b/net/sched/sch_choke.c @@ -327,7 +327,8 @@ static void choke_reset(struct Qdisc *sc sch->q.qlen = 0; sch->qstats.backlog = 0; - memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); + if (q->tab) + memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); q->head = q->tail = 0; red_restart(&q->vars); } From patchwork Wed May 13 09:44:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226034 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A493DCA90AF for ; Wed, 13 May 2020 09:46:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7A65720769 for ; Wed, 13 May 2020 09:46:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363170; bh=Ka+uZXP3Qmj4SZKPSdSkxAFBLLh7Eg88+5ji6OJMt34=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=lXZU2COi693A6Nk9BlaoPNsacCBtQt1cl7YscbEhXGjhBxDpjlv8SY39Ifup/ecNx pmCVEJDzcH/4D4PW+7h/779kLZvQxy4RxmqGYkWeim/seycr3C5+rQt4TSIldN0YFW 3PBv9z03J3em65Lv0A8cYI1HnWifv4UD5IUiNvEg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732577AbgEMJqJ (ORCPT ); Wed, 13 May 2020 05:46:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:43396 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732569AbgEMJqH (ORCPT ); Wed, 13 May 2020 05:46:07 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 009D320740; Wed, 13 May 2020 09:46:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363166; bh=Ka+uZXP3Qmj4SZKPSdSkxAFBLLh7Eg88+5ji6OJMt34=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cBgDbLCG13btuux407rBr2UfYbB5dNE/4yIRP/LYVO34hixUHHla2scor4pz8gnVp GWEsex0LhCiU1iQyvL5wyhiOl7Y/WNFVy1RtbzbuCAhTAMYMxmCrhiaifiPrD1fg1F bohW0ce4EnvZF0SlSoYtwfr3ijZBlZ01SRPjmsDs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Chan , "David S. Miller" Subject: [PATCH 4.19 13/48] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). Date: Wed, 13 May 2020 11:44:39 +0200 Message-Id: <20200513094354.851162960@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Michael Chan [ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ] The current logic in bnxt_fix_features() will inadvertently turn on both CTAG and STAG VLAN offload if the user tries to disable both. Fix it by checking that the user is trying to enable CTAG or STAG before enabling both. The logic is supposed to enable or disable both CTAG and STAG together. Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.") Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -7562,6 +7562,7 @@ static netdev_features_t bnxt_fix_featur netdev_features_t features) { struct bnxt *bp = netdev_priv(dev); + netdev_features_t vlan_features; if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp)) features &= ~NETIF_F_NTUPLE; @@ -7578,12 +7579,14 @@ static netdev_features_t bnxt_fix_featur /* Both CTAG and STAG VLAN accelaration on the RX side have to be * turned on or off together. */ - if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) != - (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) { + vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX); + if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX)) { if (dev->features & NETIF_F_HW_VLAN_CTAG_RX) features &= ~(NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX); - else + else if (vlan_features) features |= NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX; } From patchwork Wed May 13 09:44:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225910 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 437A3CA90AF for ; Wed, 13 May 2020 10:05:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2351420575 for ; Wed, 13 May 2020 10:05:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364342; bh=jpdaPpHao6OeULRHplp+4KkK02unGY3r6eZUySCwHaM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ayieCzv0IWRPJ7JVwUluBmA8QqvHtl7rM/CGmMvdvQjvH1fJWp5THmNXG6G+O1JlK ZLmdkHVI02X0o9iJXapLCCIhj2CKOG2MZZGZ47J/Ft2Q+4ky8RQ6Yb0I/v+a2n6sRE OkJtkSWHndOYhWJ3M9lKFvb6VsestOtKtRapgCLU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732581AbgEMJqK (ORCPT ); Wed, 13 May 2020 05:46:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:43452 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726492AbgEMJqJ (ORCPT ); Wed, 13 May 2020 05:46:09 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 67F8020740; Wed, 13 May 2020 09:46:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363168; bh=jpdaPpHao6OeULRHplp+4KkK02unGY3r6eZUySCwHaM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WoWofrOCEaxW0E7UULadyUuknM/4CGjZ2nQjMObusz0is/FXaY8Q0VGG/oe0eK3kj u3EUgCmBjI3mtrE9QXrOC7U0WvD+PEjoUiGxO0k+CxyTudgV79fYsE4WI1dwQlC8sr 7+fiSXfy9q7GviOhSifCzEa4OSGVuYTqrohcW1m0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Moshe Shemesh , Eran Ben Elisha , Saeed Mahameed Subject: [PATCH 4.19 14/48] net/mlx5: Fix forced completion access non initialized command entry Date: Wed, 13 May 2020 11:44:40 +0200 Message-Id: <20200513094354.999572106@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Moshe Shemesh [ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ] mlx5_cmd_flush() will trigger forced completions to all valid command entries. Triggered by an asynch event such as fast teardown it can happen at any stage of the command, including command initialization. It will trigger forced completion and that can lead to completion on an uninitialized command entry. Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is initialized will ensure force completion is treated only if command entry is initialized. Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") Signed-off-by: Moshe Shemesh Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c @@ -862,7 +862,6 @@ static void cmd_work_handler(struct work } cmd->ent_arr[ent->idx] = ent; - set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); lay = get_inst(cmd, ent->idx); ent->lay = lay; memset(lay, 0, sizeof(*lay)); @@ -884,6 +883,7 @@ static void cmd_work_handler(struct work if (ent->callback) schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); + set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); /* Skip sending command to fw if internal error */ if (pci_channel_offline(dev->pdev) || From patchwork Wed May 13 09:44:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29138CA90AF for ; Wed, 13 May 2020 09:47:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0A45523126 for ; Wed, 13 May 2020 09:47:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363276; bh=04SOpmy/nQi3IPuBwWUpHz+7j9p4iDrmYSVTlxJeMQQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=tLJgPOTRHP0tfsTRe6HpGG8DGaK+9rXEboh5JHUKSqpTzdXhuhCKtyx0HoxS/m0LU Wwa/zOy72avy5G7e3bvg+ZZ121Og6ZroHqwRdont4qpRwqOas1K++nTcp68/TJGLFw 1c4VrvT4aItioufZTn/SLMVgviXCdvRN0YPMJRJA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732960AbgEMJrz (ORCPT ); Wed, 13 May 2020 05:47:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:46042 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732954AbgEMJry (ORCPT ); Wed, 13 May 2020 05:47:54 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8127C20769; Wed, 13 May 2020 09:47:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363274; bh=04SOpmy/nQi3IPuBwWUpHz+7j9p4iDrmYSVTlxJeMQQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oj51+2HNvS06f4HOLBsm+Twx23pJAjFeMow/Ipb5EIsRJ7RKTCUKuorFiyIcToTP0 FSAAIjH7ibOk/rw0ZXOq+pPmSuu0CO96GcjhEfPqVqmdUVlBCcKjfJ+KXBdRHPmaGm xyHwdznk+madrane+0l+8ej30d1KRytyVC8MkXKA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Chan , "David S. Miller" Subject: [PATCH 4.19 16/48] bnxt_en: Improve AER slot reset. Date: Wed, 13 May 2020 11:44:42 +0200 Message-Id: <20200513094355.306462715@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Michael Chan [ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ] Improve the slot reset sequence by disabling the device to prevent bad DMAs if slot reset fails. Return the proper result instead of always PCI_ERS_RESULT_RECOVERED to the caller. Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -9300,8 +9300,11 @@ static pci_ers_result_t bnxt_io_slot_res } } - if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev)) - dev_close(netdev); + if (result != PCI_ERS_RESULT_RECOVERED) { + if (netif_running(netdev)) + dev_close(netdev); + pci_disable_device(pdev); + } rtnl_unlock(); @@ -9312,7 +9315,7 @@ static pci_ers_result_t bnxt_io_slot_res err); /* non-fatal, continue */ } - return PCI_ERS_RESULT_RECOVERED; + return result; } /** From patchwork Wed May 13 09:44:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225919 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9430CCA90AF for ; Wed, 13 May 2020 10:04:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6D3AE206B8 for ; Wed, 13 May 2020 10:04:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364277; bh=twbmB15laeg2s2WH+3sd8ZjdGuGH39wXrzDitwnqjzE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=OWm4wqn6sTWZg2R4AvI1MUGnPhEgQ5DYkd2kSRY0jhyFCgAaMY6qT0yx/lBvvOY+S NZlMz6occNapx2FrC1j+mM6hgG4IQiPYHkvMb4+0UE4Bcz2+ulemxlDXDQU5xIlzwp YnVFAXp97ZErwdc+7WDroD22Ef1XZ8OF4sKz7dAM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387614AbgEMKEd (ORCPT ); Wed, 13 May 2020 06:04:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:45708 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732894AbgEMJrj (ORCPT ); Wed, 13 May 2020 05:47:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A5B232078C; Wed, 13 May 2020 09:47:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363259; bh=twbmB15laeg2s2WH+3sd8ZjdGuGH39wXrzDitwnqjzE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tvG0HgazuGrS19EpKZ2v8LDby7cQaPqeuKvHjtxZkWsDIcC9P3TtAcUB1o/Ms7gKH c5+CA/6CJPDtw/qEv/ppFSU3i44aOBBbM5QscRvIYd3oVX8WR30gwXU4qfn0Z4h9rH +Fy7HJobc3LjECGNgdkabQ+qZYT1giTd4lhv50R4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?utf-8?q?Jere_Lepp=C3=A4nen?= , Marcelo Ricardo Leitner , "David S. Miller" , Guenter Roeck Subject: [PATCH 4.19 20/48] sctp: Fix bundling of SHUTDOWN with COOKIE-ACK Date: Wed, 13 May 2020 11:44:46 +0200 Message-Id: <20200513094356.037688991@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jere Leppänen commit 145cb2f7177d94bc54563ed26027e952ee0ae03c upstream. When we start shutdown in sctp_sf_do_dupcook_a(), we want to bundle the SHUTDOWN with the COOKIE-ACK to ensure that the peer receives them at the same time and in the correct order. This bundling was broken by commit 4ff40b86262b ("sctp: set chunk transport correctly when it's a new asoc"), which assigns a transport for the COOKIE-ACK, but not for the SHUTDOWN. Fix this by passing a reference to the COOKIE-ACK chunk as an argument to sctp_sf_do_9_2_start_shutdown() and onward to sctp_make_shutdown(). This way the SHUTDOWN chunk is assigned the same transport as the COOKIE-ACK chunk, which allows them to be bundled. In sctp_sf_do_9_2_start_shutdown(), the void *arg parameter was previously unused. Now that we're taking it into use, it must be a valid pointer to a chunk, or NULL. There is only one call site where it's not, in sctp_sf_autoclose_timer_expire(). Fix that too. Fixes: 4ff40b86262b ("sctp: set chunk transport correctly when it's a new asoc") Signed-off-by: Jere Leppänen Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman --- net/sctp/sm_statefuns.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1880,7 +1880,7 @@ static enum sctp_disposition sctp_sf_do_ */ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, - SCTP_ST_CHUNK(0), NULL, + SCTP_ST_CHUNK(0), repl, commands); } else { sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, @@ -5483,7 +5483,7 @@ enum sctp_disposition sctp_sf_do_9_2_sta * in the Cumulative TSN Ack field the last sequential TSN it * has received from the peer. */ - reply = sctp_make_shutdown(asoc, NULL); + reply = sctp_make_shutdown(asoc, arg); if (!reply) goto nomem; @@ -6081,7 +6081,7 @@ enum sctp_disposition sctp_sf_autoclose_ disposition = SCTP_DISPOSITION_CONSUME; if (sctp_outq_is_empty(&asoc->outqueue)) { disposition = sctp_sf_do_9_2_start_shutdown(net, ep, asoc, type, - arg, commands); + NULL, commands); } return disposition; From patchwork Wed May 13 09:44:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225920 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12B81C2D0F9 for ; Wed, 13 May 2020 10:04:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E7CE9206D6 for ; Wed, 13 May 2020 10:04:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364267; bh=7HOzoA+oiVdIykvmrKwGyftM1ekVtfT2zGCNRlF8990=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=z1BPM6iQtMUpXuUsJlXPjfY4M/sa4Ihh6yDX1/Xa0u8eS/e8YK6LcFcxM/UpFDwyh zsqLcca6fKKyL+ng1rDiHgPpU1jH084O8bZsccr12uh7FBUu9HxbPSH+h5xS3QfdGH xN0yTKoVY5V1gBct7jVbTO4NQ9xJvKAArKyo3Lt8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732910AbgEMJrn (ORCPT ); Wed, 13 May 2020 05:47:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:45770 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732906AbgEMJrm (ORCPT ); Wed, 13 May 2020 05:47:42 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1BB3D2312A; Wed, 13 May 2020 09:47:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363261; bh=7HOzoA+oiVdIykvmrKwGyftM1ekVtfT2zGCNRlF8990=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TSSlT2A5W4wWPaAFaBcSOk3Wmjir5jzHYXDhU21kczzybgWkNxP+80IiekB9F/E4h imRn2TT1/HiUAttWAtmhSuSvYhuFoyRxKSDjD7l3qC1Z/TGkOjUvtlfaAjbb3liAF+ Jr8SedcXKU9jF5DRqirA/pp1zPxp/XmE/BP7j6B4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Jiri Kosina , syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com Subject: [PATCH 4.19 21/48] HID: usbhid: Fix race between usbhid_close() and usbhid_stop() Date: Wed, 13 May 2020 11:44:47 +0200 Message-Id: <20200513094356.227542582@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Alan Stern commit 0ed08faded1da03eb3def61502b27f81aef2e615 upstream. The syzbot fuzzer discovered a bad race between in the usbhid driver between usbhid_stop() and usbhid_close(). In particular, usbhid_stop() does: usb_free_urb(usbhid->urbin); ... usbhid->urbin = NULL; /* don't mess up next start */ and usbhid_close() does: usb_kill_urb(usbhid->urbin); with no mutual exclusion. If the two routines happen to run concurrently so that usb_kill_urb() is called in between the usb_free_urb() and the NULL assignment, it will access the deallocated urb structure -- a use-after-free bug. This patch adds a mutex to the usbhid private structure and uses it to enforce mutual exclusion of the usbhid_start(), usbhid_stop(), usbhid_open() and usbhid_close() callbacks. Reported-and-tested-by: syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/usbhid/hid-core.c | 37 +++++++++++++++++++++++++++++-------- drivers/hid/usbhid/usbhid.h | 1 + 2 files changed, 30 insertions(+), 8 deletions(-) --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -685,16 +685,21 @@ static int usbhid_open(struct hid_device struct usbhid_device *usbhid = hid->driver_data; int res; + mutex_lock(&usbhid->mutex); + set_bit(HID_OPENED, &usbhid->iofl); - if (hid->quirks & HID_QUIRK_ALWAYS_POLL) - return 0; + if (hid->quirks & HID_QUIRK_ALWAYS_POLL) { + res = 0; + goto Done; + } res = usb_autopm_get_interface(usbhid->intf); /* the device must be awake to reliably request remote wakeup */ if (res < 0) { clear_bit(HID_OPENED, &usbhid->iofl); - return -EIO; + res = -EIO; + goto Done; } usbhid->intf->needs_remote_wakeup = 1; @@ -728,6 +733,9 @@ static int usbhid_open(struct hid_device msleep(50); clear_bit(HID_RESUME_RUNNING, &usbhid->iofl); + + Done: + mutex_unlock(&usbhid->mutex); return res; } @@ -735,6 +743,8 @@ static void usbhid_close(struct hid_devi { struct usbhid_device *usbhid = hid->driver_data; + mutex_lock(&usbhid->mutex); + /* * Make sure we don't restart data acquisition due to * a resumption we no longer care about by avoiding racing @@ -746,12 +756,13 @@ static void usbhid_close(struct hid_devi clear_bit(HID_IN_POLLING, &usbhid->iofl); spin_unlock_irq(&usbhid->lock); - if (hid->quirks & HID_QUIRK_ALWAYS_POLL) - return; + if (!(hid->quirks & HID_QUIRK_ALWAYS_POLL)) { + hid_cancel_delayed_stuff(usbhid); + usb_kill_urb(usbhid->urbin); + usbhid->intf->needs_remote_wakeup = 0; + } - hid_cancel_delayed_stuff(usbhid); - usb_kill_urb(usbhid->urbin); - usbhid->intf->needs_remote_wakeup = 0; + mutex_unlock(&usbhid->mutex); } /* @@ -1060,6 +1071,8 @@ static int usbhid_start(struct hid_devic unsigned int n, insize = 0; int ret; + mutex_lock(&usbhid->mutex); + clear_bit(HID_DISCONNECTED, &usbhid->iofl); usbhid->bufsize = HID_MIN_BUFFER_SIZE; @@ -1180,6 +1193,8 @@ static int usbhid_start(struct hid_devic usbhid_set_leds(hid); device_set_wakeup_enable(&dev->dev, 1); } + + mutex_unlock(&usbhid->mutex); return 0; fail: @@ -1190,6 +1205,7 @@ fail: usbhid->urbout = NULL; usbhid->urbctrl = NULL; hid_free_buffers(dev, hid); + mutex_unlock(&usbhid->mutex); return ret; } @@ -1205,6 +1221,8 @@ static void usbhid_stop(struct hid_devic usbhid->intf->needs_remote_wakeup = 0; } + mutex_lock(&usbhid->mutex); + clear_bit(HID_STARTED, &usbhid->iofl); spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ set_bit(HID_DISCONNECTED, &usbhid->iofl); @@ -1225,6 +1243,8 @@ static void usbhid_stop(struct hid_devic usbhid->urbout = NULL; hid_free_buffers(hid_to_usb_dev(hid), hid); + + mutex_unlock(&usbhid->mutex); } static int usbhid_power(struct hid_device *hid, int lvl) @@ -1385,6 +1405,7 @@ static int usbhid_probe(struct usb_inter INIT_WORK(&usbhid->reset_work, hid_reset); timer_setup(&usbhid->io_retry, hid_retry_timeout, 0); spin_lock_init(&usbhid->lock); + mutex_init(&usbhid->mutex); ret = hid_add_device(hid); if (ret) { --- a/drivers/hid/usbhid/usbhid.h +++ b/drivers/hid/usbhid/usbhid.h @@ -93,6 +93,7 @@ struct usbhid_device { dma_addr_t outbuf_dma; /* Output buffer dma */ unsigned long last_out; /* record of last output for timeouts */ + struct mutex mutex; /* start/stop/open/close */ spinlock_t lock; /* fifo spinlock */ unsigned long iofl; /* I/O flags (CTRL_RUNNING, OUT_RUNNING) */ struct timer_list io_retry; /* Retry timer */ From patchwork Wed May 13 09:44:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225921 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1760FC2D0FA for ; Wed, 13 May 2020 10:04:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EDAE5206D6 for ; Wed, 13 May 2020 10:04:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364255; bh=J+YdWUUAe/ctpYH2pWK3ImcEFUIMvLMc+hmM9KWKs7U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Naqzo4Fssp6GFFAhmnmjj3yZQG/JU8SXpAjzNotsKhKCXJKmoMPMT78fo66idocoV HuN0ctMOSEjIfTYVWhGb15tcaTl2rTvBmarMcrO4SXJsBGJpDpC24ClHJ7AGDXexTM jLBRiossVv8v5vYIFuvYI+5gawPpnjfMCHC0ak+A= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732939AbgEMJru (ORCPT ); Wed, 13 May 2020 05:47:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:45942 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732934AbgEMJrt (ORCPT ); Wed, 13 May 2020 05:47:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC27720740; Wed, 13 May 2020 09:47:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363269; bh=J+YdWUUAe/ctpYH2pWK3ImcEFUIMvLMc+hmM9KWKs7U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eRMb5Sy6riNW87F8MAjDix7uwutY4MXm9X068Sxy1y/+GIYkxuRq56I9SfmUC6a0j vR0pUr43D+NVhFm0rPhzpovMdB6ht7xEb1IJoUzv2s2ajcyzhsEkBqFwuEQJyQoHte Ak7Fg0KEUWNnquwDLKbQcQ4UpjBlhFs0ejwH9yXI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Tzvetomir Stoyanov (VMware)" , Joerg Roedel , "Steven Rostedt (VMware)" Subject: [PATCH 4.19 24/48] tracing: Add a vmalloc_sync_mappings() for safe measure Date: Wed, 13 May 2020 11:44:50 +0200 Message-Id: <20200513094357.140180121@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Steven Rostedt (VMware) commit 11f5efc3ab66284f7aaacc926e9351d658e2577b upstream. x86_64 lazily maps in the vmalloc pages, and the way this works with per_cpu areas can be complex, to say the least. Mappings may happen at boot up, and if nothing synchronizes the page tables, those page mappings may not be synced till they are used. This causes issues for anything that might touch one of those mappings in the path of the page fault handler. When one of those unmapped mappings is touched in the page fault handler, it will cause another page fault, which in turn will cause a page fault, and leave us in a loop of page faults. Commit 763802b53a42 ("x86/mm: split vmalloc_sync_all()") split vmalloc_sync_all() into vmalloc_sync_unmappings() and vmalloc_sync_mappings(), as on system exit, it did not need to do a full sync on x86_64 (although it still needed to be done on x86_32). By chance, the vmalloc_sync_all() would synchronize the page mappings done at boot up and prevent the per cpu area from being a problem for tracing in the page fault handler. But when that synchronization in the exit of a task became a nop, it caused the problem to appear. Link: https://lore.kernel.org/r/20200429054857.66e8e333@oasis.local.home Cc: stable@vger.kernel.org Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") Reported-by: "Tzvetomir Stoyanov (VMware)" Suggested-by: Joerg Roedel Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7750,6 +7750,19 @@ static int allocate_trace_buffers(struct */ allocate_snapshot = false; #endif + + /* + * Because of some magic with the way alloc_percpu() works on + * x86_64, we need to synchronize the pgd of all the tables, + * otherwise the trace events that happen in x86_64 page fault + * handlers can't cope with accessing the chance that a + * alloc_percpu()'d memory might be touched in the page fault trace + * event. Oh, and we need to audit all other alloc_percpu() and vmalloc() + * calls in tracing, because something might get triggered within a + * page fault trace event! + */ + vmalloc_sync_mappings(); + return 0; } From patchwork Wed May 13 09:44:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226031 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0982CA90AF for ; Wed, 13 May 2020 09:46:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 939512078C for ; Wed, 13 May 2020 09:46:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363203; bh=lwCmYmBStc/B78iyH0w3hnthD4nOlcxlZPGhE6PV29M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=jIEZSX1RUjnXpXP89wL3Nho6QLJ2sKZXto4+q0ugjx/W4GfocSnEoMAQHJ1tlhFg3 1AKp9oSRy2T5OhIrgW2JqUEoZizKjVJZ89NfCSrsfnDchRBKelIwQBqZ/RZNaxksfo 58hOLfKoBa23NW2/jSn4cBCj8yC664vApi49QnEM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732694AbgEMJqm (ORCPT ); Wed, 13 May 2020 05:46:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:44206 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732689AbgEMJqm (ORCPT ); Wed, 13 May 2020 05:46:42 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B88A6206F5; Wed, 13 May 2020 09:46:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363201; bh=lwCmYmBStc/B78iyH0w3hnthD4nOlcxlZPGhE6PV29M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r9sI0pdemDWCjtkS2+2JxaoFTWYaxcy/OxdZcsRXkaoXKo8dJPgzE47Z87XMIS0eZ o/ioV/hjARwY/eTKWdKfZm7obq68dpmIrebe06V6/oMAWBmQ8Xb9QT5Gam+aNiS9R9 rJebHlIphu/kpTzByIpUPGJObC5OxoC8RFS23QXY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mark Rutland , Kyrill Tkachov , Will Deacon , Catalin Marinas Subject: [PATCH 4.19 27/48] arm64: hugetlb: avoid potential NULL dereference Date: Wed, 13 May 2020 11:44:53 +0200 Message-Id: <20200513094357.770767423@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Mark Rutland commit 027d0c7101f50cf03aeea9eebf484afd4920c8d3 upstream. The static analyzer in GCC 10 spotted that in huge_pte_alloc() we may pass a NULL pmdp into pte_alloc_map() when pmd_alloc() returns NULL: | CC arch/arm64/mm/pageattr.o | CC arch/arm64/mm/hugetlbpage.o | from arch/arm64/mm/hugetlbpage.c:10: | arch/arm64/mm/hugetlbpage.c: In function ‘huge_pte_alloc’: | ./arch/arm64/include/asm/pgtable-types.h:28:24: warning: dereference of NULL ‘pmdp’ [CWE-690] [-Wanalyzer-null-dereference] | ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ | arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ | |arch/arm64/mm/hugetlbpage.c:232:10: | |./arch/arm64/include/asm/pgtable-types.h:28:24: | ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ | arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ This can only occur when the kernel cannot allocate a page, and so is unlikely to happen in practice before other systems start failing. We can avoid this by bailing out if pmd_alloc() fails, as we do earlier in the function if pud_alloc() fails. Fixes: 66b3923a1a0f ("arm64: hugetlb: add support for PTE contiguous bit") Signed-off-by: Mark Rutland Reported-by: Kyrill Tkachov Cc: # 4.5.x- Cc: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman --- arch/arm64/mm/hugetlbpage.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/arm64/mm/hugetlbpage.c +++ b/arch/arm64/mm/hugetlbpage.c @@ -218,6 +218,8 @@ pte_t *huge_pte_alloc(struct mm_struct * ptep = (pte_t *)pudp; } else if (sz == (PAGE_SIZE * CONT_PTES)) { pmdp = pmd_alloc(mm, pudp, addr); + if (!pmdp) + return NULL; WARN_ON(addr & (sz - 1)); /* From patchwork Wed May 13 09:44:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225913 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1096C2D0F9 for ; Wed, 13 May 2020 10:05:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B929C206D6 for ; Wed, 13 May 2020 10:05:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364319; bh=FR8Ifg9rP8tzSzi0f8DEsEecajjqrvZMp0gu9VxDTkE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=n/HvzuqI2kd0m2IMqLwlE+W+9v53plQiFWOvHWphGPW/TKSjL0NBusqWv45wXiPTh Z7/KbVO0Xb+HNCwzXGIWqj8S95TcjtaXfNO+ON6BQrn0E45yO9WmOYwaQ6333sWwqi ctdQOJGH21drTZPzaFdwS+zt5TEGYP9jW3/WNVq4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732712AbgEMJqq (ORCPT ); Wed, 13 May 2020 05:46:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:44318 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732689AbgEMJqq (ORCPT ); Wed, 13 May 2020 05:46:46 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 62FB1206F5; Wed, 13 May 2020 09:46:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363205; bh=FR8Ifg9rP8tzSzi0f8DEsEecajjqrvZMp0gu9VxDTkE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cP1VEZuVVxRB8UMZfiX2oe7mjhnbF5wv3N8UVboLxibiz37jxDH6Wy8iqTCPfNfkP 4BHCfnfzyqG1nf0VrhXx4CLjxIiveBCjqyFSg9Lw7e2yKYJGORK9Ajt3HxjqHafLDb j2F44J+oe7BVw0NuN3CbE4Vr0n3M51gaDP0BkSMc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oscar Carter , Richard Yeh Subject: [PATCH 4.19 29/48] staging: gasket: Check the return value of gasket_get_bar_index() Date: Wed, 13 May 2020 11:44:55 +0200 Message-Id: <20200513094358.457452609@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Oscar Carter commit 769acc3656d93aaacada814939743361d284fd87 upstream. Check the return value of gasket_get_bar_index function as it can return a negative one (-EINVAL). If this happens, a negative index is used in the "gasket_dev->bar_data" array. Addresses-Coverity-ID: 1438542 ("Negative array index read") Fixes: 9a69f5087ccc2 ("drivers/staging: Gasket driver framework + Apex driver") Signed-off-by: Oscar Carter Cc: stable Reviewed-by: Richard Yeh Link: https://lore.kernel.org/r/20200501155118.13380-1-oscar.carter@gmx.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/staging/gasket/gasket_core.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/staging/gasket/gasket_core.c +++ b/drivers/staging/gasket/gasket_core.c @@ -933,6 +933,10 @@ do_map_region(const struct gasket_dev *g gasket_get_bar_index(gasket_dev, (vma->vm_pgoff << PAGE_SHIFT) + driver_desc->legacy_mmap_address_offset); + + if (bar_index < 0) + return DO_MAP_REGION_INVALID; + phys_base = gasket_dev->bar_data[bar_index].phys_base + phys_offset; while (mapped_bytes < map_length) { /* From patchwork Wed May 13 09:44:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226030 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A04E1CA90AF for ; Wed, 13 May 2020 09:46:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8155F20740 for ; Wed, 13 May 2020 09:46:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363210; bh=jYu83nG+ZgGL56KNIG5xU2Xqy+EY205G0S0pkiAXCp4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=JHm7B1MG3Iz6YW9YE3//TSGOhOjB2xlzqHNQiAHKyPkSd75PwuT+Y/0bcTT/Vlmav zXH2vQ2m3Om1PrrEcf8rYC07rS4fX0XxEfedE/7nzFIgiz5dK8yU7tVfiFX31Fc9F2 nOQ8P0sTAda3k1xc2CqrJB1GyltNttWhearanhpc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732725AbgEMJqt (ORCPT ); Wed, 13 May 2020 05:46:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:44364 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732719AbgEMJqt (ORCPT ); Wed, 13 May 2020 05:46:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DB89A20740; Wed, 13 May 2020 09:46:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363208; bh=jYu83nG+ZgGL56KNIG5xU2Xqy+EY205G0S0pkiAXCp4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P79j2BYpX2QvhcVjmWMRg5iLWcJyHV6pdcz0cGGMvpavZTwikY9sxbA2M3cOL7f+X TSbPjZPX19xL9kh1aiLnXcvT3xnBUcnXn00nCfTpxJ2gHXJm6ycj3QTp3l/itH1z7t S/y0SuaO3zILQLa7G7J/ATch1mUvpj+LgJdX+4t4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tony Vroon , Sergey Kvachonok , Sergei Trofimovich , Luis Chamberlain Subject: [PATCH 4.19 30/48] coredump: fix crash when umh is disabled Date: Wed, 13 May 2020 11:44:56 +0200 Message-Id: <20200513094358.847167713@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Luis Chamberlain commit 3740d93e37902b31159a82da2d5c8812ed825404 upstream. Commit 64e90a8acb859 ("Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper()") added the optiont to disable all call_usermodehelper() calls by setting STATIC_USERMODEHELPER_PATH to an empty string. When this is done, and crashdump is triggered, it will crash on null pointer dereference, since we make assumptions over what call_usermodehelper_exec() did. This has been reported by Sergey when one triggers a a coredump with the following configuration: ``` CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER_PATH="" kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e ``` The way disabling the umh was designed was that call_usermodehelper_exec() would just return early, without an error. But coredump assumes certain variables are set up for us when this happens, and calls ile_start_write(cprm.file) with a NULL file. [ 2.819676] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 2.819859] #PF: supervisor read access in kernel mode [ 2.820035] #PF: error_code(0x0000) - not-present page [ 2.820188] PGD 0 P4D 0 [ 2.820305] Oops: 0000 [#1] SMP PTI [ 2.820436] CPU: 2 PID: 89 Comm: a Not tainted 5.7.0-rc1+ #7 [ 2.820680] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190711_202441-buildvm-armv7-10.arm.fedoraproject.org-2.fc31 04/01/2014 [ 2.821150] RIP: 0010:do_coredump+0xd80/0x1060 [ 2.821385] Code: e8 95 11 ed ff 48 c7 c6 cc a7 b4 81 48 8d bd 28 ff ff ff 89 c2 e8 70 f1 ff ff 41 89 c2 85 c0 0f 84 72 f7 ff ff e9 b4 fe ff ff <48> 8b 57 20 0f b7 02 66 25 00 f0 66 3d 00 8 0 0f 84 9c 01 00 00 44 [ 2.822014] RSP: 0000:ffffc9000029bcb8 EFLAGS: 00010246 [ 2.822339] RAX: 0000000000000000 RBX: ffff88803f860000 RCX: 000000000000000a [ 2.822746] RDX: 0000000000000009 RSI: 0000000000000282 RDI: 0000000000000000 [ 2.823141] RBP: ffffc9000029bde8 R08: 0000000000000000 R09: ffffc9000029bc00 [ 2.823508] R10: 0000000000000001 R11: ffff88803dec90be R12: ffffffff81c39da0 [ 2.823902] R13: ffff88803de84400 R14: 0000000000000000 R15: 0000000000000000 [ 2.824285] FS: 00007fee08183540(0000) GS:ffff88803e480000(0000) knlGS:0000000000000000 [ 2.824767] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2.825111] CR2: 0000000000000020 CR3: 000000003f856005 CR4: 0000000000060ea0 [ 2.825479] Call Trace: [ 2.825790] get_signal+0x11e/0x720 [ 2.826087] do_signal+0x1d/0x670 [ 2.826361] ? force_sig_info_to_task+0xc1/0xf0 [ 2.826691] ? force_sig_fault+0x3c/0x40 [ 2.826996] ? do_trap+0xc9/0x100 [ 2.827179] exit_to_usermode_loop+0x49/0x90 [ 2.827359] prepare_exit_to_usermode+0x77/0xb0 [ 2.827559] ? invalid_op+0xa/0x30 [ 2.827747] ret_from_intr+0x20/0x20 [ 2.827921] RIP: 0033:0x55e2c76d2129 [ 2.828107] Code: 2d ff ff ff e8 68 ff ff ff 5d c6 05 18 2f 00 00 01 c3 0f 1f 80 00 00 00 00 c3 0f 1f 80 00 00 00 00 e9 7b ff ff ff 55 48 89 e5 <0f> 0b b8 00 00 00 00 5d c3 66 2e 0f 1f 84 0 0 00 00 00 00 0f 1f 40 [ 2.828603] RSP: 002b:00007fffeba5e080 EFLAGS: 00010246 [ 2.828801] RAX: 000055e2c76d2125 RBX: 0000000000000000 RCX: 00007fee0817c718 [ 2.829034] RDX: 00007fffeba5e188 RSI: 00007fffeba5e178 RDI: 0000000000000001 [ 2.829257] RBP: 00007fffeba5e080 R08: 0000000000000000 R09: 00007fee08193c00 [ 2.829482] R10: 0000000000000009 R11: 0000000000000000 R12: 000055e2c76d2040 [ 2.829727] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 2.829964] CR2: 0000000000000020 [ 2.830149] ---[ end trace ceed83d8c68a1bf1 ]--- ``` Cc: # v4.11+ Fixes: 64e90a8acb85 ("Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper()") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199795 Reported-by: Tony Vroon Reported-by: Sergey Kvachonok Tested-by: Sergei Trofimovich Signed-off-by: Luis Chamberlain Link: https://lore.kernel.org/r/20200416162859.26518-1-mcgrof@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- fs/coredump.c | 8 ++++++++ kernel/umh.c | 5 +++++ 2 files changed, 13 insertions(+) --- a/fs/coredump.c +++ b/fs/coredump.c @@ -753,6 +753,14 @@ void do_coredump(const siginfo_t *siginf if (displaced) put_files_struct(displaced); if (!dump_interrupted()) { + /* + * umh disabled with CONFIG_STATIC_USERMODEHELPER_PATH="" would + * have this set to NULL. + */ + if (!cprm.file) { + pr_info("Core dump to |%s disabled\n", cn.corename); + goto close_fail; + } file_start_write(cprm.file); core_dumped = binfmt->core_dump(&cprm); file_end_write(cprm.file); --- a/kernel/umh.c +++ b/kernel/umh.c @@ -522,6 +522,11 @@ EXPORT_SYMBOL_GPL(fork_usermode_blob); * Runs a user-space application. The application is started * asynchronously if wait is not set, and runs as a child of system workqueues. * (ie. it runs with full root capabilities and optimized affinity). + * + * Note: successful return value does not guarantee the helper was called at + * all. You can't rely on sub_info->{init,cleanup} being called even for + * UMH_WAIT_* wait modes as STATIC_USERMODEHELPER_PATH="" turns all helpers + * into a successful no-op. */ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) { From patchwork Wed May 13 09:44:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225914 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2FA0C2D0FE for ; Wed, 13 May 2020 10:05:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7F092206D6 for ; Wed, 13 May 2020 10:05:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364311; bh=8Mj3jZCsTb7GPdBb8D/nuu08H/0MOu2Z00t6vvgURMc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=0stkRzg78d5GXjsZVLV5Qo46MEpc9DiuGUdE3PdamS2bvtTOxiHZ9pS6GnE4mVNw1 msEqN1AhtpsrqBRGG9VSCTh3Vs5YOCIE6TFu2wOzavoovxvP+2CunxgHe/7Mh8JNba EwIlK7OUicHdyPJBJwEMOXKvUPJHu+9sILhx9weg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732738AbgEMJqw (ORCPT ); Wed, 13 May 2020 05:46:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:44424 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732730AbgEMJqv (ORCPT ); Wed, 13 May 2020 05:46:51 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4FE96206F5; Wed, 13 May 2020 09:46:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363210; bh=8Mj3jZCsTb7GPdBb8D/nuu08H/0MOu2Z00t6vvgURMc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NtFLR64xr2wQVt5lm7d8ZFTi2ESnksREOZ1JRHjL7zaVnNxdRpqUseXS2EGPfJLxb vdkDUooyqDErk5wfXtiMgLZdLx0IU5a26vnNiAFhu8M6/UQHuP+btT2wLUdidGLdrv Z4XlXmrTD9Uq81FkludZ9AtVB0jrZwiC0MH1rrKA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , Andi Kleen , Paolo Bonzini Subject: [PATCH 4.19 31/48] KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs Date: Wed, 13 May 2020 11:44:57 +0200 Message-Id: <20200513094359.369566125@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Sean Christopherson commit 051a2d3e59e51ae49fd56aef34e472832897ce46 upstream. Use '%% " _ASM_CX"' instead of '%0' to dereference RCX, i.e. the 'struct vcpu_vmx' pointer, in the VM-Enter asm blobs of vmx_vcpu_run() and nested_vmx_check_vmentry_hw(). Using the symbolic name means that adding/removing an output parameter(s) requires "rewriting" almost all of the asm blob, which makes it nearly impossible to understand what's being changed in even the most minor patches. Opportunistically improve the code comments. Signed-off-by: Sean Christopherson Reviewed-by: Andi Kleen Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx.c | 86 ++++++++++++++++++++++++++++------------------------- 1 file changed, 47 insertions(+), 39 deletions(-) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -10776,9 +10776,9 @@ static void __noclone vmx_vcpu_run(struc "push %%" _ASM_DX "; push %%" _ASM_BP ";" "push %%" _ASM_CX " \n\t" /* placeholder for guest rcx */ "push %%" _ASM_CX " \n\t" - "cmp %%" _ASM_SP ", %c[host_rsp](%0) \n\t" + "cmp %%" _ASM_SP ", %c[host_rsp](%%" _ASM_CX ") \n\t" "je 1f \n\t" - "mov %%" _ASM_SP ", %c[host_rsp](%0) \n\t" + "mov %%" _ASM_SP ", %c[host_rsp](%%" _ASM_CX ") \n\t" /* Avoid VMWRITE when Enlightened VMCS is in use */ "test %%" _ASM_SI ", %%" _ASM_SI " \n\t" "jz 2f \n\t" @@ -10788,32 +10788,33 @@ static void __noclone vmx_vcpu_run(struc __ex(ASM_VMX_VMWRITE_RSP_RDX) "\n\t" "1: \n\t" /* Reload cr2 if changed */ - "mov %c[cr2](%0), %%" _ASM_AX " \n\t" + "mov %c[cr2](%%" _ASM_CX "), %%" _ASM_AX " \n\t" "mov %%cr2, %%" _ASM_DX " \n\t" "cmp %%" _ASM_AX ", %%" _ASM_DX " \n\t" "je 3f \n\t" "mov %%" _ASM_AX", %%cr2 \n\t" "3: \n\t" /* Check if vmlaunch of vmresume is needed */ - "cmpb $0, %c[launched](%0) \n\t" + "cmpb $0, %c[launched](%%" _ASM_CX ") \n\t" /* Load guest registers. Don't clobber flags. */ - "mov %c[rax](%0), %%" _ASM_AX " \n\t" - "mov %c[rbx](%0), %%" _ASM_BX " \n\t" - "mov %c[rdx](%0), %%" _ASM_DX " \n\t" - "mov %c[rsi](%0), %%" _ASM_SI " \n\t" - "mov %c[rdi](%0), %%" _ASM_DI " \n\t" - "mov %c[rbp](%0), %%" _ASM_BP " \n\t" + "mov %c[rax](%%" _ASM_CX "), %%" _ASM_AX " \n\t" + "mov %c[rbx](%%" _ASM_CX "), %%" _ASM_BX " \n\t" + "mov %c[rdx](%%" _ASM_CX "), %%" _ASM_DX " \n\t" + "mov %c[rsi](%%" _ASM_CX "), %%" _ASM_SI " \n\t" + "mov %c[rdi](%%" _ASM_CX "), %%" _ASM_DI " \n\t" + "mov %c[rbp](%%" _ASM_CX "), %%" _ASM_BP " \n\t" #ifdef CONFIG_X86_64 - "mov %c[r8](%0), %%r8 \n\t" - "mov %c[r9](%0), %%r9 \n\t" - "mov %c[r10](%0), %%r10 \n\t" - "mov %c[r11](%0), %%r11 \n\t" - "mov %c[r12](%0), %%r12 \n\t" - "mov %c[r13](%0), %%r13 \n\t" - "mov %c[r14](%0), %%r14 \n\t" - "mov %c[r15](%0), %%r15 \n\t" + "mov %c[r8](%%" _ASM_CX "), %%r8 \n\t" + "mov %c[r9](%%" _ASM_CX "), %%r9 \n\t" + "mov %c[r10](%%" _ASM_CX "), %%r10 \n\t" + "mov %c[r11](%%" _ASM_CX "), %%r11 \n\t" + "mov %c[r12](%%" _ASM_CX "), %%r12 \n\t" + "mov %c[r13](%%" _ASM_CX "), %%r13 \n\t" + "mov %c[r14](%%" _ASM_CX "), %%r14 \n\t" + "mov %c[r15](%%" _ASM_CX "), %%r15 \n\t" #endif - "mov %c[rcx](%0), %%" _ASM_CX " \n\t" /* kills %0 (ecx) */ + /* Load guest RCX. This kills the vmx_vcpu pointer! */ + "mov %c[rcx](%%" _ASM_CX "), %%" _ASM_CX " \n\t" /* Enter guest mode */ "jne 1f \n\t" @@ -10821,26 +10822,33 @@ static void __noclone vmx_vcpu_run(struc "jmp 2f \n\t" "1: " __ex(ASM_VMX_VMRESUME) "\n\t" "2: " - /* Save guest registers, load host registers, keep flags */ - "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" - "pop %0 \n\t" - "setbe %c[fail](%0)\n\t" - "mov %%" _ASM_AX ", %c[rax](%0) \n\t" - "mov %%" _ASM_BX ", %c[rbx](%0) \n\t" - __ASM_SIZE(pop) " %c[rcx](%0) \n\t" - "mov %%" _ASM_DX ", %c[rdx](%0) \n\t" - "mov %%" _ASM_SI ", %c[rsi](%0) \n\t" - "mov %%" _ASM_DI ", %c[rdi](%0) \n\t" - "mov %%" _ASM_BP ", %c[rbp](%0) \n\t" + + /* Save guest's RCX to the stack placeholder (see above) */ + "mov %%" _ASM_CX ", %c[wordsize](%%" _ASM_SP ") \n\t" + + /* Load host's RCX, i.e. the vmx_vcpu pointer */ + "pop %%" _ASM_CX " \n\t" + + /* Set vmx->fail based on EFLAGS.{CF,ZF} */ + "setbe %c[fail](%%" _ASM_CX ")\n\t" + + /* Save all guest registers, including RCX from the stack */ + "mov %%" _ASM_AX ", %c[rax](%%" _ASM_CX ") \n\t" + "mov %%" _ASM_BX ", %c[rbx](%%" _ASM_CX ") \n\t" + __ASM_SIZE(pop) " %c[rcx](%%" _ASM_CX ") \n\t" + "mov %%" _ASM_DX ", %c[rdx](%%" _ASM_CX ") \n\t" + "mov %%" _ASM_SI ", %c[rsi](%%" _ASM_CX ") \n\t" + "mov %%" _ASM_DI ", %c[rdi](%%" _ASM_CX ") \n\t" + "mov %%" _ASM_BP ", %c[rbp](%%" _ASM_CX ") \n\t" #ifdef CONFIG_X86_64 - "mov %%r8, %c[r8](%0) \n\t" - "mov %%r9, %c[r9](%0) \n\t" - "mov %%r10, %c[r10](%0) \n\t" - "mov %%r11, %c[r11](%0) \n\t" - "mov %%r12, %c[r12](%0) \n\t" - "mov %%r13, %c[r13](%0) \n\t" - "mov %%r14, %c[r14](%0) \n\t" - "mov %%r15, %c[r15](%0) \n\t" + "mov %%r8, %c[r8](%%" _ASM_CX ") \n\t" + "mov %%r9, %c[r9](%%" _ASM_CX ") \n\t" + "mov %%r10, %c[r10](%%" _ASM_CX ") \n\t" + "mov %%r11, %c[r11](%%" _ASM_CX ") \n\t" + "mov %%r12, %c[r12](%%" _ASM_CX ") \n\t" + "mov %%r13, %c[r13](%%" _ASM_CX ") \n\t" + "mov %%r14, %c[r14](%%" _ASM_CX ") \n\t" + "mov %%r15, %c[r15](%%" _ASM_CX ") \n\t" /* * Clear all general purpose registers (except RSP, which is loaded by @@ -10860,7 +10868,7 @@ static void __noclone vmx_vcpu_run(struc "xor %%r15d, %%r15d \n\t" #endif "mov %%cr2, %%" _ASM_AX " \n\t" - "mov %%" _ASM_AX ", %c[cr2](%0) \n\t" + "mov %%" _ASM_AX ", %c[cr2](%%" _ASM_CX ") \n\t" "xor %%eax, %%eax \n\t" "xor %%ebx, %%ebx \n\t" From patchwork Wed May 13 09:45:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225915 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 110BFCA90AF for ; Wed, 13 May 2020 10:05:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DC2EB206B8 for ; Wed, 13 May 2020 10:05:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364309; bh=an1QSVmGtJyIXZBH3L/SEKdUB3F4Qr6KkIuZCR+/WDI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=i0L3FTbR8V2dF5mXCMMnAhto+Y4MfMGuEvuDZrJK9m9u/SvhTsWFaifJG8SZnonbG 4PfPfU31Bukamexiesyx2wBAXnVSvT/Ovdiq3lBJelu7C5CjgWx77iMLvjsCCtsfNe QTV4J2hGkySqifdLnBMfyJ8vJnkHgPc5rIEE6xd8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732766AbgEMJrC (ORCPT ); Wed, 13 May 2020 05:47:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:44590 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732730AbgEMJrB (ORCPT ); Wed, 13 May 2020 05:47:01 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 65B5320740; Wed, 13 May 2020 09:47:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363220; bh=an1QSVmGtJyIXZBH3L/SEKdUB3F4Qr6KkIuZCR+/WDI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0XKuEQg/bBYwpKYERnAZYYrYlLjeWk77E4lKszrurh2cRSwta7yMRNZ1+jzeBYZjo T9I8XIa3NG4j8yX0yvHr2CfxYFKTGtx/Msn+fyg0G+QBH77rF4im54uSJpx81Nw1D2 rgB/20qFAEC3FTTHv0+LM4mfPg6U3238LwcjaWf0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiyu Yang , Xin Tan , Sven Eckelmann , Simon Wunderlich Subject: [PATCH 4.19 35/48] batman-adv: Fix refcnt leak in batadv_store_throughput_override Date: Wed, 13 May 2020 11:45:01 +0200 Message-Id: <20200513094400.720293748@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Xiyu Yang commit 6107c5da0fca8b50b4d3215e94d619d38cc4a18c upstream. batadv_show_throughput_override() invokes batadv_hardif_get_by_netdev(), which gets a batadv_hard_iface object from net_dev with increased refcnt and its reference is assigned to a local pointer 'hard_iface'. When batadv_store_throughput_override() returns, "hard_iface" becomes invalid, so the refcount should be decreased to keep refcount balanced. The issue happens in one error path of batadv_store_throughput_override(). When batadv_parse_throughput() returns NULL, the refcnt increased by batadv_hardif_get_by_netdev() is not decreased, causing a refcnt leak. Fix this issue by jumping to "out" label when batadv_parse_throughput() returns NULL. Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/batman-adv/sysfs.c +++ b/net/batman-adv/sysfs.c @@ -1093,7 +1093,7 @@ static ssize_t batadv_store_throughput_o ret = batadv_parse_throughput(net_dev, buff, "throughput_override", &tp_override); if (!ret) - return count; + goto out; old_tp_override = atomic_read(&hard_iface->bat_v.throughput_override); if (old_tp_override == tp_override) From patchwork Wed May 13 09:45:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225916 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B757FC2D0F9 for ; Wed, 13 May 2020 10:05:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8E6E5206B8 for ; Wed, 13 May 2020 10:05:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364307; bh=8WGXdX0TnAX86/ckTL3jkixuy+9Tp1nesLQ+hXMtkso=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=uRkII16IJBqtjOCmPwcKvu+EXESA2TX+6y3m+P5ArWAt65kcUJGTkboC5j6wDNc3w 4zb6qnePHQYGrAp+GEmMwx6R8+SmtjdYQqORpeYmyxvCfQkoLXvLLiQwzVeeBM1hEw t5y5SsBhUEHJwm5co281CXJLx8Dw2YupxE0acxwU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732791AbgEMJrJ (ORCPT ); Wed, 13 May 2020 05:47:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:44700 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732784AbgEMJrG (ORCPT ); Wed, 13 May 2020 05:47:06 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7CEFE20769; Wed, 13 May 2020 09:47:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363225; bh=8WGXdX0TnAX86/ckTL3jkixuy+9Tp1nesLQ+hXMtkso=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nieX7bXyyzfsGK1SHLV1xeOHToVzo98Nt0t7CLkI0XiyZ0a+J5riTGOs/Glr8FAhR SA3j0xykqSy8pd3yW3wFrMDFAjaAvK4DU2x/9hgl08uTLk4nQ4vQPJHlQ+87HtE2eX IM6hDDJ+xkWkmRHscBXM1eZNTySAsWg5+2KVIjkg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiyu Yang , Xin Tan , Sven Eckelmann , Simon Wunderlich Subject: [PATCH 4.19 36/48] batman-adv: Fix refcnt leak in batadv_v_ogm_process Date: Wed, 13 May 2020 11:45:02 +0200 Message-Id: <20200513094401.060898423@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Xiyu Yang commit 6f91a3f7af4186099dd10fa530dd7e0d9c29747d upstream. batadv_v_ogm_process() invokes batadv_hardif_neigh_get(), which returns a reference of the neighbor object to "hardif_neigh" with increased refcount. When batadv_v_ogm_process() returns, "hardif_neigh" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling paths of batadv_v_ogm_process(). When batadv_v_ogm_orig_get() fails to get the orig node and returns NULL, the refcnt increased by batadv_hardif_neigh_get() is not decreased, causing a refcnt leak. Fix this issue by jumping to "out" label when batadv_v_ogm_orig_get() fails to get the orig node. Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/bat_v_ogm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/batman-adv/bat_v_ogm.c +++ b/net/batman-adv/bat_v_ogm.c @@ -735,7 +735,7 @@ static void batadv_v_ogm_process(const s orig_node = batadv_v_ogm_orig_get(bat_priv, ogm_packet->orig); if (!orig_node) - return; + goto out; neigh_node = batadv_neigh_node_get_or_create(orig_node, if_incoming, ethhdr->h_source); From patchwork Wed May 13 09:45:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226029 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7617CA90AF for ; Wed, 13 May 2020 09:47:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 87C0220740 for ; Wed, 13 May 2020 09:47:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363234; bh=5FbjvvE4YYzC2D6LEejeXrQVJx3de3jv9KNq2V6otDI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=YU2NT2oinpx1RyNlTRgayECoqNrg+alBCZB45ZCDzpigw7VNZ2DxqOX14D2xFuAPu iAvtaCHRegEr9LnQ1wFWrwoParaVnVtQD5qsysQmAzRg1QzxyInIrfyi40cP7uIyDp GzOBQ4AQWNfnB24jv3wO0MRKUMsrIlpAORNpifAI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732809AbgEMJrM (ORCPT ); Wed, 13 May 2020 05:47:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:44838 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732803AbgEMJrL (ORCPT ); Wed, 13 May 2020 05:47:11 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2B49A206F5; Wed, 13 May 2020 09:47:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363230; bh=5FbjvvE4YYzC2D6LEejeXrQVJx3de3jv9KNq2V6otDI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iTDmOzh3DwF7M1tuJD25WPRvp0c6wmjlBZBmgwcg+uRoy7DmgOSS2OxQCQmqTc0Rb YvGzXf2fUjdVFjwxwvSwBk6+jldzMdk6WMJ4/WRd1mTUYbmlLDdu7g9e4hgIKFhs6h Fa+h0zJJJsM7TvFQJExNXYs0rD3q8cyxyMP7BuaA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vince Weaver , Dave Jones , "Dr. David Alan Gilbert" , Joe Mario , Jann Horn , Linus Torvalds , Miroslav Benes , Josh Poimboeuf , Ingo Molnar , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner Subject: [PATCH 4.19 38/48] x86/entry/64: Fix unwind hints in kernel exit path Date: Wed, 13 May 2020 11:45:04 +0200 Message-Id: <20200513094401.426409226@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Josh Poimboeuf commit 1fb143634a38095b641a3a21220774799772dc4c upstream. In swapgs_restore_regs_and_return_to_usermode, after the stack is switched to the trampoline stack, the existing UNWIND_HINT_REGS hint is no longer valid, which can result in the following ORC unwinder warning: WARNING: can't dereference registers at 000000003aeb0cdd for ip swapgs_restore_regs_and_return_to_usermode+0x93/0xa0 For full correctness, we could try to add complicated unwind hints so the unwinder could continue to find the registers, but when when it's this close to kernel exit, unwind hints aren't really needed anymore and it's fine to just use an empty hint which tells the unwinder to stop. For consistency, also move the UNWIND_HINT_EMPTY in entry_SYSCALL_64_after_hwframe to a similar location. Fixes: 3e3b9293d392 ("x86/entry/64: Return to userspace from the trampoline stack") Reported-by: Vince Weaver Reported-by: Dave Jones Reported-by: Dr. David Alan Gilbert Reported-by: Joe Mario Reported-by: Jann Horn Reported-by: Linus Torvalds Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lore.kernel.org/r/60ea8f562987ed2d9ace2977502fe481c0d7c9a0.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/entry/entry_64.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -312,7 +312,6 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) */ syscall_return_via_sysret: /* rcx and r11 are already restored (see code above) */ - UNWIND_HINT_EMPTY POP_REGS pop_rdi=0 skip_r11rcx=1 /* @@ -321,6 +320,7 @@ syscall_return_via_sysret: */ movq %rsp, %rdi movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp + UNWIND_HINT_EMPTY pushq RSP-RDI(%rdi) /* RSP */ pushq (%rdi) /* RDI */ @@ -700,6 +700,7 @@ GLOBAL(swapgs_restore_regs_and_return_to */ movq %rsp, %rdi movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp + UNWIND_HINT_EMPTY /* Copy the IRET frame to the trampoline stack. */ pushq 6*8(%rdi) /* SS */ From patchwork Wed May 13 09:45:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225917 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9800CCA90AF for ; Wed, 13 May 2020 10:05:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6BB2E206B8 for ; Wed, 13 May 2020 10:05:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364300; bh=Nl8K5b252Z3oTCQfej+1iIqWvtOKZyzW/iHp0Q4TVj8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=HGNQKHPV1kB6sBkkr8Nla4eHm38wpboUN/kOZ+R1snp39xnRFvr+wibJBrpCHYgAO mjgZHLYNnl7NAAg2F4NjtUMzKx9/dnx+nwd9Mlxc8p1r3ZyXZ55IEyjvEF4l+ZkNIB WeKt+cFhHQeXJj11ISt71hdH4qAPBOci3OGPacMQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732773AbgEMJrO (ORCPT ); Wed, 13 May 2020 05:47:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:44956 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732810AbgEMJrN (ORCPT ); Wed, 13 May 2020 05:47:13 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 693622078C; Wed, 13 May 2020 09:47:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363232; bh=Nl8K5b252Z3oTCQfej+1iIqWvtOKZyzW/iHp0Q4TVj8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sU8xNiGBd82EfCAzoCX5X/p9Q6RQ/wPEg7yjGnmjygJPf1GYIAccvdt9HmC+O5H02 soZnvpKJGEWQ4qGOUVnUKEre7gOOhsVrIc/2DH+kMXthi4cBGONmB0HdBbnkERT4g8 DhbRl+7rGV97DCVmprjJWi/v7eEgaSW26wDl6kCk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miroslav Benes , Jann Horn , Josh Poimboeuf , Ingo Molnar , Andy Lutomirski , Dave Jones , Peter Zijlstra , Thomas Gleixner , Vince Weaver Subject: [PATCH 4.19 39/48] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Date: Wed, 13 May 2020 11:45:05 +0200 Message-Id: <20200513094401.664753125@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jann Horn commit f977df7b7ca45a4ac4b66d30a8931d0434c394b1 upstream. The LEAQ instruction in rewind_stack_do_exit() moves the stack pointer directly below the pt_regs at the top of the task stack before calling do_exit(). Tell the unwinder to expect pt_regs. Fixes: 8c1f75587a18 ("x86/entry/64: Add unwind hint annotations") Reviewed-by: Miroslav Benes Signed-off-by: Jann Horn Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/68c33e17ae5963854916a46f522624f8e1d264f2.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/entry/entry_64.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1745,7 +1745,7 @@ ENTRY(rewind_stack_do_exit) movq PER_CPU_VAR(cpu_current_top_of_stack), %rax leaq -PTREGS_SIZE(%rax), %rsp - UNWIND_HINT_FUNC sp_offset=PTREGS_SIZE + UNWIND_HINT_REGS call do_exit END(rewind_stack_do_exit) From patchwork Wed May 13 09:45:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2C55C2D0F9 for ; Wed, 13 May 2020 09:47:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B77832078C for ; Wed, 13 May 2020 09:47:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363240; bh=Za3FLRzeVXJu3IPmNvRaKrZk0hFYFY6QIYsYn+kNt28=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Ly6Yph6c8P8s3a1xYwk822tGad9Lyok73ZSvaFGiMCJGm7cxf+Lfnvhv6h2XvzD/H 1TsQ13+7K1iwNkiL5yEe39w7uNb7aujx6vz0pf7qTp8ygmsnDdXMsvxpi0Hxues64K V8gif6jsfmyhUJ5+6iXonXRiqZao1E9ABZteGp/U= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732831AbgEMJrU (ORCPT ); Wed, 13 May 2020 05:47:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:45088 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732825AbgEMJrS (ORCPT ); Wed, 13 May 2020 05:47:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F30C220753; Wed, 13 May 2020 09:47:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363237; bh=Za3FLRzeVXJu3IPmNvRaKrZk0hFYFY6QIYsYn+kNt28=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2SJh29CBJKjPhdRhR/ckxfN28nNkZZ/YSKZvgZBAnkuwb0FpkFs2mY/hMCa1fBLHj 0VxuUrlJYCUj5JFpZ0ndlMDjYUDUGxgsX8uiOde0Wn1/+JPLt/UN2KrAKxekkC2/ph dgAhrTOEycufEsG5qp1GkEnvdKXxbTzih4oscCBI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miroslav Benes , Josh Poimboeuf , Ingo Molnar , Andy Lutomirski , Dave Jones , Jann Horn , Peter Zijlstra , Thomas Gleixner , Vince Weaver Subject: [PATCH 4.19 41/48] x86/unwind/orc: Prevent unwinding before ORC initialization Date: Wed, 13 May 2020 11:45:07 +0200 Message-Id: <20200513094402.645961403@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Josh Poimboeuf commit 98d0c8ebf77e0ba7c54a9ae05ea588f0e9e3f46e upstream. If the unwinder is called before the ORC data has been initialized, orc_find() returns NULL, and it tries to fall back to using frame pointers. This can cause some unexpected warnings during boot. Move the 'orc_init' check from orc_find() to __unwind_init(), so that it doesn't even try to unwind from an uninitialized state. Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Dave Jones Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Link: https://lore.kernel.org/r/069d1499ad606d85532eb32ce39b2441679667d5.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/unwind_orc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/arch/x86/kernel/unwind_orc.c +++ b/arch/x86/kernel/unwind_orc.c @@ -131,9 +131,6 @@ static struct orc_entry *orc_find(unsign { static struct orc_entry *orc; - if (!orc_init) - return NULL; - if (ip == 0) return &null_orc_entry; @@ -563,6 +560,9 @@ EXPORT_SYMBOL_GPL(unwind_next_frame); void __unwind_start(struct unwind_state *state, struct task_struct *task, struct pt_regs *regs, unsigned long *first_frame) { + if (!orc_init) + goto done; + memset(state, 0, sizeof(*state)); state->task = task; From patchwork Wed May 13 09:45:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F314CA90AF for ; Wed, 13 May 2020 09:47:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 440EE206F5 for ; Wed, 13 May 2020 09:47:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363249; bh=fhNrhicOFpTPi5d4hyZ4np9bnClrHaWnKQSRWxqvbFc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=XqOgLfp+niPeDO4Onz5wRweM8J9VvAZyGKLR8dez//mDtqlkdhi1ftBsqdXysVQj2 0F04H4qJr70kjSF7mgwB3q/JL4g/3++B7kE4VIGGaEONutCCk1TpyvRsjPhgj46ra3 8OTTSLXQqikEi6Fv+J80W+pGmOn6nJEBttQig7Bo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732862AbgEMJr2 (ORCPT ); Wed, 13 May 2020 05:47:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:45346 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732856AbgEMJrZ (ORCPT ); Wed, 13 May 2020 05:47:25 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6C6FD20769; Wed, 13 May 2020 09:47:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363244; bh=fhNrhicOFpTPi5d4hyZ4np9bnClrHaWnKQSRWxqvbFc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OoO+qGREg+K0OyExCbCntt/fqFY0axSmv/ifa4hzfseq0D2cZCKpjPC1GFbMRche2 oBMFD0N+8KMK+PqdsfGZi+y2RPLhzRWzphW1KEf5A26/D5YTKRQRyB5JUM2jnK6Az7 m6t2BDP7h08hQK9LwoHCwAFQFYDu7YLg4JPpmBII= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guillaume Nault , Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.19 44/48] netfilter: nat: never update the UDP checksum when its 0 Date: Wed, 13 May 2020 11:45:10 +0200 Message-Id: <20200513094403.869182531@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Guillaume Nault commit ea64d8d6c675c0bb712689b13810301de9d8f77a upstream. If the UDP header of a local VXLAN endpoint is NAT-ed, and the VXLAN device has disabled UDP checksums and enabled Tx checksum offloading, then the skb passed to udp_manip_pkt() has hdr->check == 0 (outer checksum disabled) and skb->ip_summed == CHECKSUM_PARTIAL (inner packet checksum offloaded). Because of the ->ip_summed value, udp_manip_pkt() tries to update the outer checksum with the new address and port, leading to an invalid checksum sent on the wire, as the original null checksum obviously didn't take the old address and port into account. So, we can't take ->ip_summed into account in udp_manip_pkt(), as it might not refer to the checksum we're acting on. Instead, we can base the decision to update the UDP checksum entirely on the value of hdr->check, because it's null if and only if checksum is disabled: * A fully computed checksum can't be 0, since a 0 checksum is represented by the CSUM_MANGLED_0 value instead. * A partial checksum can't be 0, since the pseudo-header always adds at least one non-zero value (the UDP protocol type 0x11) and adding more values to the sum can't make it wrap to 0 as the carry is then added to the wrapped number. * A disabled checksum uses the special value 0. The problem seems to be there from day one, although it was probably not visible before UDP tunnels were implemented. Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack") Signed-off-by: Guillaume Nault Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_nat_proto_udp.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/net/netfilter/nf_nat_proto_udp.c +++ b/net/netfilter/nf_nat_proto_udp.c @@ -66,15 +66,14 @@ static bool udp_manip_pkt(struct sk_buff enum nf_nat_manip_type maniptype) { struct udphdr *hdr; - bool do_csum; if (!skb_make_writable(skb, hdroff + sizeof(*hdr))) return false; hdr = (struct udphdr *)(skb->data + hdroff); - do_csum = hdr->check || skb->ip_summed == CHECKSUM_PARTIAL; + __udp_manip_pkt(skb, l3proto, iphdroff, hdr, tuple, maniptype, + !!hdr->check); - __udp_manip_pkt(skb, l3proto, iphdroff, hdr, tuple, maniptype, do_csum); return true; } From patchwork Wed May 13 09:45:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 226026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDAC4CA90AF for ; Wed, 13 May 2020 09:47:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9792320769 for ; Wed, 13 May 2020 09:47:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363254; bh=CsbIO5dipL0iKBcIfukTEXl367sjdfnK/Vip1aGHx/E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=A2kOfOIsmGxLuU0zKY7m1D7v0ASGgCLMCTZdCe8phLAqjqIS1ngxhp8cdrCwVo7bL VJJtCSG6mQPHEln5pP+1BrJ6JkXIVU5HtlK6amLbmlqXFP16UIIUzhUkl7k2kfUoMB v4OtYGSz8asHhymX4S7bgLGScrOteDvuWY0DGPmA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732881AbgEMJrd (ORCPT ); Wed, 13 May 2020 05:47:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:45520 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732875AbgEMJrc (ORCPT ); Wed, 13 May 2020 05:47:32 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9728520753; Wed, 13 May 2020 09:47:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363252; bh=CsbIO5dipL0iKBcIfukTEXl367sjdfnK/Vip1aGHx/E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=13e+ky6kqbqQihHKlo8ToHijGMn8KfNE9QGWaS+2K1mL+DNZxRjYWTd784V08BcY2 y2Qmy37iAYHssb6KMnmlq66ZnS4TLX22GuJqBOLHUwmAyXEHTZ9cy7LF8100SoYuFA J6Xx3mRSvRikxQjr5u+lt/Ld+FVrfwtgPqc4ymaY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vince Weaver , Dave Jones , Steven Rostedt , Vegard Nossum , Joe Mario , Miroslav Benes , Josh Poimboeuf , Ingo Molnar , Andy Lutomirski , Jann Horn , Peter Zijlstra , Thomas Gleixner Subject: [PATCH 4.19 46/48] objtool: Fix stack offset tracking for indirect CFAs Date: Wed, 13 May 2020 11:45:12 +0200 Message-Id: <20200513094404.559723075@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Josh Poimboeuf commit d8dd25a461e4eec7190cb9d66616aceacc5110ad upstream. When the current frame address (CFA) is stored on the stack (i.e., cfa->base == CFI_SP_INDIRECT), objtool neglects to adjust the stack offset when there are subsequent pushes or pops. This results in bad ORC data at the end of the ENTER_IRQ_STACK macro, when it puts the previous stack pointer on the stack and does a subsequent push. This fixes the following unwinder warning: WARNING: can't dereference registers at 00000000f0a6bdba for ip interrupt_entry+0x9f/0xa0 Fixes: 627fce14809b ("objtool: Add ORC unwind table generation") Reported-by: Vince Weaver Reported-by: Dave Jones Reported-by: Steven Rostedt Reported-by: Vegard Nossum Reported-by: Joe Mario Reviewed-by: Miroslav Benes Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Andy Lutomirski Cc: Jann Horn Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lore.kernel.org/r/853d5d691b29e250333332f09b8e27410b2d9924.1587808742.git.jpoimboe@redhat.com Signed-off-by: Greg Kroah-Hartman --- tools/objtool/check.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -1315,7 +1315,7 @@ static int update_insn_state_regs(struct struct cfi_reg *cfa = &state->cfa; struct stack_op *op = &insn->stack_op; - if (cfa->base != CFI_SP) + if (cfa->base != CFI_SP && cfa->base != CFI_SP_INDIRECT) return 0; /* push */ From patchwork Wed May 13 09:45:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 225918 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.9 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E6BFCA90AF for ; Wed, 13 May 2020 10:04:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8050720575 for ; Wed, 13 May 2020 10:04:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589364290; bh=GUIpK23XvnwYuYschf4nAkND8B9/PhPFyFh4GqVIbfE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=tQQE5DCBJ/BDAFsHFTMe5MuAwGyXyWG254fqz70wiNN1GqUCgfiQJPWJX2F3Za9nb gxm0h+RnZN5spAgerbcEnl9WRR9/2XeU3mc1K6YoZyPCXHiOSnAIFdL3u3T51qRBFg NLNxfGZM73k/ib2ke7C1Gc63RvZDJM5iQuGeK2zA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732894AbgEMKEj (ORCPT ); Wed, 13 May 2020 06:04:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:45650 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732887AbgEMJrh (ORCPT ); Wed, 13 May 2020 05:47:37 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4156C20769; Wed, 13 May 2020 09:47:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589363256; bh=GUIpK23XvnwYuYschf4nAkND8B9/PhPFyFh4GqVIbfE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1Sh+U0v/4ZxzF8Mkay1fCJ2S7DdRXhBjdgPciApNmDL92DzpHi7d8vsv0tIyb+80h rjOv8sgK7ORzkZLWqj5hW4f8QgDtc+UA24QjieqWEHQuMRcIkM3lVmed7TvGYEjgK3 0LpLAWkNyuDfY7ULWb6RtTPe34lLShyFG/8WnCG4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yoji , Oleg Nesterov , Manfred Spraul , Andrew Morton , "Eric W. Biederman" , Davidlohr Bueso , Markus Elfring , 1vier1@web.de, Linus Torvalds , Sasha Levin Subject: [PATCH 4.19 48/48] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Date: Wed, 13 May 2020 11:45:14 +0200 Message-Id: <20200513094405.122260162@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200513094351.100352960@linuxfoundation.org> References: <20200513094351.100352960@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Oleg Nesterov [ Upstream commit b5f2006144c6ae941726037120fa1001ddede784 ] Commit cc731525f26a ("signal: Remove kernel interal si_code magic") changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no longer works if the sender doesn't have rights to send a signal. Change __do_notify() to use do_send_sig_info() instead of kill_pid_info() to avoid check_kill_permission(). This needs the additional notify.sigev_signo != 0 check, shouldn't we change do_mq_notify() to deny sigev_signo == 0 ? Test-case: #include #include #include #include #include static int notified; static void sigh(int sig) { notified = 1; } int main(void) { signal(SIGIO, sigh); int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL); assert(fd >= 0); struct sigevent se = { .sigev_notify = SIGEV_SIGNAL, .sigev_signo = SIGIO, }; assert(mq_notify(fd, &se) == 0); if (!fork()) { assert(setuid(1) == 0); mq_send(fd, "",1,0); return 0; } wait(NULL); mq_unlink("/mq"); assert(notified); return 0; } [manfred@colorfullife.com: 1) Add self_exec_id evaluation so that the implementation matches do_notify_parent 2) use PIDTYPE_TGID everywhere] Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Reported-by: Yoji Signed-off-by: Oleg Nesterov Signed-off-by: Manfred Spraul Signed-off-by: Andrew Morton Acked-by: "Eric W. Biederman" Cc: Davidlohr Bueso Cc: Markus Elfring Cc: <1vier1@web.de> Cc: Link: http://lkml.kernel.org/r/e2a782e4-eab9-4f5c-c749-c07a8f7a4e66@colorfullife.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- ipc/mqueue.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/ipc/mqueue.c b/ipc/mqueue.c index de4070d5472f2..46d0265423f5b 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -76,6 +76,7 @@ struct mqueue_inode_info { struct sigevent notify; struct pid *notify_owner; + u32 notify_self_exec_id; struct user_namespace *notify_user_ns; struct user_struct *user; /* user who created, for accounting */ struct sock *notify_sock; @@ -662,28 +663,44 @@ static void __do_notify(struct mqueue_inode_info *info) * synchronously. */ if (info->notify_owner && info->attr.mq_curmsgs == 1) { - struct siginfo sig_i; switch (info->notify.sigev_notify) { case SIGEV_NONE: break; - case SIGEV_SIGNAL: - /* sends signal */ + case SIGEV_SIGNAL: { + struct siginfo sig_i; + struct task_struct *task; + + /* do_mq_notify() accepts sigev_signo == 0, why?? */ + if (!info->notify.sigev_signo) + break; clear_siginfo(&sig_i); sig_i.si_signo = info->notify.sigev_signo; sig_i.si_errno = 0; sig_i.si_code = SI_MESGQ; sig_i.si_value = info->notify.sigev_value; - /* map current pid/uid into info->owner's namespaces */ rcu_read_lock(); + /* map current pid/uid into info->owner's namespaces */ sig_i.si_pid = task_tgid_nr_ns(current, ns_of_pid(info->notify_owner)); - sig_i.si_uid = from_kuid_munged(info->notify_user_ns, current_uid()); + sig_i.si_uid = from_kuid_munged(info->notify_user_ns, + current_uid()); + /* + * We can't use kill_pid_info(), this signal should + * bypass check_kill_permission(). It is from kernel + * but si_fromuser() can't know this. + * We do check the self_exec_id, to avoid sending + * signals to programs that don't expect them. + */ + task = pid_task(info->notify_owner, PIDTYPE_TGID); + if (task && task->self_exec_id == + info->notify_self_exec_id) { + do_send_sig_info(info->notify.sigev_signo, + &sig_i, task, PIDTYPE_TGID); + } rcu_read_unlock(); - - kill_pid_info(info->notify.sigev_signo, - &sig_i, info->notify_owner); break; + } case SIGEV_THREAD: set_cookie(info->notify_cookie, NOTIFY_WOKENUP); netlink_sendskb(info->notify_sock, info->notify_cookie); @@ -1273,6 +1290,7 @@ retry: info->notify.sigev_signo = notification->sigev_signo; info->notify.sigev_value = notification->sigev_value; info->notify.sigev_notify = SIGEV_SIGNAL; + info->notify_self_exec_id = current->self_exec_id; break; }